Jonathan Armstrong,
Founder and Partner of
Cordery Compliance
Announced in 2012, the long awaited
European Union General Data Protection
Regulation (EU GDPR) now looks set to
come into force in spring 2018. In the
current climate, where it seems we cannot
go a week without a data breach or cyberattack being reported (with December’s
JD Weatherspoon hack the biggest recent
example), the new regulation can’t come
too soon.
European data protection laws haven’t
changed since 1995, when the Data
Protection Directive was introduced. This
seems like a lifetime ago when you
consider how the data landscape has
changed. For example, twenty years ago
only one per cent of Europeans used the
Internet, and in the past two years we
have created more data than the past
2,000 years. The EU GDPR has been
designed with this in mind, and represents
more than just a fine-tuning of the existing
regulation.
When it comes into force, the EU GDPR
will have much stricter requirements for
reporting data breaches and safeguarding
customer data than current legislation, as
well as more severe penalties. For
example, everyone affected by a breach
will need to be told if their information has
been compromised, authorities must be
notified of a breach within 72 hours, and
companies over a certain size will need to
appoint a data protection officer. Not only
have the rules changed, but also the
punishment – there will be increased
sanctions for data breaches, including
fines of up to 4% of an organisation’s
global turnover and potential criminal
charges for executives.
Despite this, far too many organisations
have not yet begun to think about the
impact of the EU GDPR on their approach
to data protection. With the stakes so
high, businesses cannot afford to be
complacent about complying with the EU
GDPR. The sooner businesses are able to
prepare and ensure they’re compliant with
the upcoming regulation, the better their
chances of not falling foul of the
Regulation when it comes into force.
With this in mind, we’ve compiled some
essential top tips, outlining the actions
that businesses must undertake now to
ensure compliance.
1. Understand the impact: Put in place a
data protection impact assessment
policy so you understand how your
business will have to adapt to the new
regulation, and the potential impact of
a breach.
2. Thoroughly review vendor contracts:
Vendors’ help will be needed to ensure
compliance, especially in reporting
security breaches. Organisations
should make sure they have the
contractual rights to insist on this and
they should make sure that they can
hold their vendors to account in the
event of them causing a data breach.
3. Recruit new team members:
Businesses over a certain size must
recruit a Data Protection Officer, with
smaller companies appointing
someone responsible for data-related
matters.
4. Update everything: Ensure new
detailed documentation and records
are ready for production for regulatory
inspection - factor this into overhead
costs.
5. Day to day implementation: Review
how all of the key practical aspects of
the EU GDPR, such as data retention
and destruction, applies to all means
of collecting data used by your
organisation. If there are any
discrepancies, then you need to review
that particular method of collecting
data.
6. Create processes: Put in place a data
breach notification procedure,
covering detection and response
capabilities. It is also worth
considering purchasing data breach
protection insurance.
7. Demonstrate compliance: Create
compliance statements for annual
business reports. Not only will this
show the wider world that you’re
compliant, but it will also ensure a
consistent focus on this throughout
the year.
8. Deliver effective training: This has
never been more important, given the
EU GDPR will be completely new to
many of your employees. It will be vital
that your staff are thoroughly trained
on all of the above.
There will be considerable challenges to
comply with the new rules. The less time
your organisation has to make sure all of
its systems and processes comply with
the new rules, the harder it will be. What’s
more, rushing through the changes
needed will inevitably lead to errors, which
could result in breaches and costly fines.
However, a measured approach, using the
time available, will allow you to
successfully navigate the increasingly
stormy seas of data regulation, and reach
compliance before the EU GDPR hits with
full force.
Contact us today at
www.securityplusonline.co.uk to learn
more about GDPR.